How use signature pattern for hooking

Question

I like to replace the static function address:
 AddressOfHookSoundFunction = (DWORD)GetModuleHandleA("myfile.exe") + 0x0F3B65; // good: 4406117 (integer)

using signature pattern:
 SigScan Scanner;

AddressOfHookSoundFunction = Scanner.FindPattern("myfile.exe", "x55x8BxECx83xECx14x53x56x8B", "xxxxxxxxx"); // bad: 3685831 (integer)

but the value is different and work only the static address: 0x0F3B65
here the IDA screenshot:

Probably I have insert a wrong dump information.
here the code of signature scanning:
class SigScan
{
public:
    // For getting information about the executing module
    MODULEINFO GetModuleInfo(char *szModule)
    {
        MODULEINFO modinfo = { 0 };
        HMODULE hModule = GetModuleHandleA(szModule);
        if (hModule == 0)
            return modinfo;
        GetModuleInformation(GetCurrentProcess(), hModule, &modinfo, sizeof(MODULEINFO));
        return modinfo;
    }

// for finding a signature/pattern in memory of another process
    DWORD FindPattern(char *module, char *pattern, char *mask)
    {
        MODULEINFO mInfo = GetModuleInfo(module);
        DWORD base = (DWORD)mInfo.lpBaseOfDll;
        DWORD size = (DWORD)mInfo.SizeOfImage;
        DWORD patternLength = (DWORD)strlen(mask);

for (DWORD i = 0; i < size - patternLength; i++)
        {
            bool found = true;
            for (DWORD j = 0; j < patternLength; j++)
            {
                found &= mask[j] == '?' || pattern[j] == *(char*)(base + i + j);
            }
            if (found)
            {
                return base + i;
            }
        }

return NULL;
    }
};

Can you help me please ?

user3449922 · Answer

I have understand what happen just add only 2 digits:
AddressOfHookSoundFunction = Scanner.FindPattern("myfile.exe", "x55x8BxECx83xECx14x53x56x8Bx75x0C", "xxxxxxxxxxx");

and now work.

How use signature pattern for hooking

One Answer

Add your own answers!

Ask a Question